Turkish authorities seized a VPN server operated by ExpressVPN that they say was used to hide details regarding the assassination of the Russian Ambassador to Turkey, Andrei Karlov. The server held no useful information for the authorities, who were investigating the deletion of possible evidence on Facebook and Gmail.

An off-duty Turkish police office shot and killed Karlov in December 2016 at an art exhibition in Turkey’s capital, Ankara. The server was seized sometime in January 2017, but the details related to ExpressVPN were only recently revealed. The case is still open as of time of writing.

Authorities raided the data center and confiscated the server in the hopes of tracking down an as-of-yet unknown person who deleted the assassin’s Facebook and Gmail accounts, along with conversations that could have been useful to the investigation. That person did so under the guise of an ExpressVPN connection, which masks a user’s real IP address and encrypts internet traffic. ExpressVPN says it keeps no logs of its users’ activity nor any other identifying information.

“As we stated to Turkish authorities in January 2017, ExpressVPN does not and has never possessed any customer connection logs that would enable us to know which customer was using the specific IPs cited by the investigators. Furthermore, we were unable to see which customers accessed Gmail or Facebook during the time in question, as we do not keep activity logs. We believe that the investigators’ seizure and inspection of the VPN server in question confirmed these points.”

ExpressVPN cooperated with authorities but simply had no information to give regarding the case. The company is incorporated in the British Virgin Islands, which has no mandatory data retention requirements. Such seizures are not uncommon, an ExpressVPN spokesperson tells Comparitech.

“This isn’t the first time that law enforcement officials have either physically confiscated a server,” the spokesperson explains. “Approaches from law enforcement are part of the normal course of business for a large VPN provider, and that’s one reason that we work hard to ensure that none of our servers contains data that could enable anyone to link online activity with specific users.”

ExpressVPN’s terms of use forbid the use of its service for illegal activities, but because it does not monitor or keep records of what customers do while connected to the VPN, it has little means of enforcement.

While the circumstances are unfortunate, the case bolster’s ExpressVPN’s claims of unrelenting privacy for its users. The service worked exactly as intended and promised in a time when many VPN critics, Edward Snowden among them, cast doubt on such claims.

VPNs are good, but their weakness is the single point of failure: hack or subpoena that one point to see everything. https://t.co/iUxkbJsoK2

Logging polices: read between the lines

But not all VPNs are quite so earnest. In October 2017, police arrested a PureVPN customer on charges of cyberstalking. Ryan Lin used PureVPN to conceal his identity when stalking and harrassing his ex-roommate. When FBI agents approached the Hong Kong-based company, PureVPN handed over logs that incriminated Lin.

A similar noteworthy case occured in 2011 when a LulzSec hacker in the US was arrested for his role in a hack against Sony Pictures. Cody Kretsinger used VPN provider HideMyAss to conceal his identity. When the FBI issued a court order, HideMyAss allegedly handed over logs that incriminated Kretsinger, leading to his arrest.

HideMyAss also claimed not to keep any logs. It is worth noting that the company is now under new ownership.

So what separates the logging policies of ExpressVPN and providers like these? It comes down to what exactly is defined as a “log”, transparency, and how VPN providers advertise.

When HideMyAss and PureVPN claim to be logless, what they really mean is that they don’t keep records of their users’ activity. They don’t record details of what web pages were visited, the contents of communications, or purchases, for example. These are often referred to as traffic logs or activity logs.

They do, however, record information about how the VPN was used, such as when a user connects and disconnects, how much data is transferred, and, most pertinently, users’ real IP addresses. These are known as metadata logs or session logs. Most of this information is fairly benign; it can’t directly identify the user.

But IP addresses are different. An IP address is a string of numbers and decimals that’s unique to a specific device. VPNs mask users’ real IP addresses, but if the VPN company records their real IP address, then authorities can use that information to trace known activity back to a specific device and the person who owns it. An IP address might not legally constitute an identity, but it can be used to corroborate other evidence.

HideMyAss and PureVPN, while claiming not to record any logs in their advertising, do record users’ real IP addresses. Their real logging policies are buried in the fine print of their respective privacy policies, which most users won’t bother reading.

ExpressVPN, as well as the majority of VPNs we recommend on Comparitech, store neither activity logs nor IP addresses. A handful of providers claim to be “zero logs” services, which means they record no information at all about what their customers do online. While this is ideal, prospective VPN customers should be skeptical of such claims, especially from VPNs that are new, free, have few customers, or have a history of logging.

ExpressVPN does record some metadata including “apps and app versions successfully activated, dates (not times) when connected to the VPN service, choice of VPN server location, and total amount (in MB) of data transferred per day.” None of this was found to be useful by Turkish authorities in the Karlov case.

Virtual locations, an imperfect solution

In summer 2017, ExpressVPN was sharply criticized for its use of “virtual locations”. Users who believed their internet traffic was being routed through a VPN server in a location like Pakistan or Sri Lanka were in fact connected to servers in other countries. While the IP address assigned to the server is that of the country chosen, the physical server resides elsewhere.

Researchers claimed ExpressVPN, along with PureVPN and HideMyAss, misrepresented their services. Critics argue this could be disastrous for people who believe they are connecting to a real server in a certain country. ExpressVPN gave this response at the time:

“For less than 3% of ExpressVPN’s servers, the registered IP address matches the country you’ve chosen to connect to, while the server is physically located in another country, usually nearby. These are called virtual server locations, and they help ensure your connection is fast, secure, and reliable.”

Following the seizure of its servers in Turkey, ExpressVPN stopped using physical servers in Turkey and switched to a virtual location instead. In the ExpressVPN app, Turkey is still listed as a location and connecting to it will give users a Turkish IP address, but the physical server is located in the Netherlands.

Contrary to what critics have said, the Karlov incident supports ExpressVPN’s reasoning for using virtual locations. In countries where third parties like intelligence agencies can compromise the security and privacy of data centers—where most servers reside—it makes sense to create a virtual location with a physical server in a country with stronger pro-consumer privacy regulations.

“We have rigorous standards for servers that not only cover ability to connect reliably and at consistently fast speeds, but also physical security and legal jurisdiction,” the spokesperson says. “In some countries, it can be difficult to find servers that meet these qualifications. Virtual server locations make it possible for users to connect to such countries, while still providing the privacy, security, and connection quality they expect from ExpressVPN.”

Virtual locations serve as an imperfect solution for customers who want to connect to a country but who also want to make sure they’re getting the privacy they paid for. Rather than making a blanket statement about how all virtual locations are in some way dishonest, perhaps the more pertinent problem is a lack of transparency. While ExpressVPN now lists which locations are virtual and which are not on its website, the ExpressVPN app itself does not make any distinction between the two.

Update on December 21, 2017: Added quotes from ExpressVPN spokesperson.